Interesting read on how to detect PhantomJS, particularly the stack trace detection. Though I'm curious whether these methods will still work if the adversary is using Selenium rather than a headless browser? In other words, what could be done to detect a Selenium instance over a human using the browser?
The first thing that comes to mind is that Selenium doesn't generate mouse move events when doing something like clicking two different buttons on a page, or when testing something like hover. So I would definitely concentrate on user-generated events, assuming that it's not easy to detect on the backend (via something like user-agent).
